Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

thadmiller writes "Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet."Update: Jason Livingood
of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.

From blocking as "possible spam" me@comcast.net from sending a nearly empty email containing just one URL to me@work.com where I want to use it. WTF?

To this week's episode where Comcast webmail was totally foobar/frozen after half loading, until I purged every one of the dozen or more comcast related cookies from my browser. They apparently trust the data the client gives them too much, and expect all these cookies to have consistent state.

This is why I eventually decided it wouldn't be detrimental to me at all to outright block outgoing SMTP at my router - I exclusively use gmail for my email now.

Unfortunately, precedent says they will act on this by blocking all access if a compromise is detected - Time Warner has a "two strikes and you're out" deal - The first time ANY sort of complaint comes in, you get a temp-block that can be lifted by clicking a URL. Second report, even if it's 1.5 months later, will result in service shutoff until yo

I like the idea a lot, but I don't know that there will be enough information for everybody.

When my ISP notified me of problems, it took a while to get enough information to figure out what was going on. As it turned out, it wasn't on a Windows box, and it wasn't a virus per se, but rather an inadequate password on an unsecured port. A message like "YOU HAZ BEEN PWNED!!!! HAHA!!" wouldn't have been enough for me to go on.

Still, the ISP is in an excellent position to watch accounts for bot-like activity, and is likely to be the first one to know.

My guess would be that those Comcast customers who insist they don't need anti-virus and do know how to surf the Web safely are going to get unexpected notices.

I agree, and I think it is surprising it has taken this long to launch this service. This is a chance for Comcast to save money on bandwidth, improve their quality of service, and do something good for their users and for the Internet at large. They can do the right thing while increasing profits!

That being said, I'm sure they can find ways to screw it up. A pop up notice in the user's malware-infected browser is not the way to notify customers.

No, but what they can do is redirect outgoing traffic that is destined to port 80 on some server to their server so that you go to google.com, but end up going to server.isp.com and getting the notice. Some of the ISPs in my country do this for other purposes too, for example to remind the user that he still hasn't paid for the connection this month.

Many years ago I fixed someones windows installation.The user originally complained about a subtle windows annoyance, and a system that was running a bit slow.What I found when I started digging, was the most badly infected computer I have EVER seen to date.Many of the viruses were craftily avoiding all attempts at removal, so I backed up data only and reinstalled.Some of the backup was useless due to an encrypting virus.

A week later that original annoyance was back. It turns out that on the same day, the user had downloaded kazaa and all the programs they felt were MUST HAVE, and with a combination of screen savers, custom mouse pointers, and other assorted crap recreated the exact same malware+virus infected state.

So basically everyone from lusers to geeks have in their mind what their ideal system is, and from a fresh install we tweak towards that OS ideal.

Last time I encountered a system that badly infected, after cleaning it I put the free version of a decent AV on the machine and told them that if they tried to download anything dodgy again and the AV cut the connection, not to try to download it again.A month later they came back and asked where to download the AV from, because some of their friends' pcs are in similar state and they're sick of getting virus-infected emails from them.

I bet most run-of-the-mill users don't know they have the infection and could act upon it if they knew.

The problem is that most customers cannot do anything about their problems, except take the computer to someone that can help them. And because that is going to cost money, most people are going to wait until after Christmas, or after their vacation, or after their vacation after Christmas. Or until hell freezes over.

Assuming a pop-up of any sort is going to actually inform people is a mistake - almost everyone has some kind of pop-up blocking in effect today and the ones that get through are ignored.

The right thing to do is contact the person and see if they can explain the activity. No contact, cut off the account. No explaination, cut off the account. It does little good for the other 6 billion people on the planet to let infected computers continue to spew spam and phishing emails.

Yeah, Also, because If I got a pop-up that said, "your pc is infected" I would just close it and say "stupid phishers you'll never get me!" So, I'm guessing that pop-ups would be much less effective then a real piece of mail/phone message.

Here in the UK one of my previous ISP's claimed my computer was infected with some worm, but how did I find this _lie_ they told me?

Whilst I was using my internet connection they started to flood my router and pc's open ports with packets. Whilst the router and pc were able to repel their attack on my machine which lasted some minutes, they did not impress me with their accusation and then tactics against my machine, I thought it was under a "genuine" DDOS attack which was saturating my connection.

"I don't think they will cut off customers. It would be a huge support hassle for them. We lost connection the other day and they sent out a tech guy the next day. That can't be cheap considering they are all contractors."
They shut them down already. This is just a way to cut costs by automating the notification process and giving infected customers a chance to clean up the problems themselves before they spew enough spam that a disconnection is needed. I certainly hope that they disconnect customers wh

It depends. It could be a good thing. Or if they use an overly broad interpretation of what might indicate virus or botnet activity, I could see it becoming a tool to shut down customers who just use a lot of bandwidth.

Plus, even if Comcast's intentions are good, it seems like a great way (for others) to phish. Think about it. Users are not used to seeing notices from comcast, but maybe they've heard about this initiative. So they get a pop-up saying "Comcast service notice. Your PC may be infected. C

Comcast: You're using more bandwidth than we'd like you to, so you're obviously a spammer. Prove that your not infected and we'll turn you back on./dotter: I run Linux!

Comcast: So you're not running antivirus purchased from a Comcast-approved vendor then? Please let us know when you've installed Norton or Mcaffee, and we'll be able to move to step two, where you prove you have the latest Windows Updates.

I had a similar situation, somebody brought over a zombie XP machine that started spamming. They were house sitting while I was out of town. Anyway, if you talk around to the right person and call about 5 different numbers, you CAN get port 25 unblocked, it just takes you getting in touch with the correct department...

Anyway, now my firewall doesn't let any "untrusted" ip addresses unfettered access to the internet anymore. Which is a pain when I bring the work laptop home and the VPN won't connect (unti

Maybe because it's configured to let everything out, just filter the incoming traffic...But probably it didn't do a good job there either, seeing as a computer behind it got infected (OTOH, it could have been an autorun virus)

I think what you are describing is very close the the fake Antivirus 2009 malware that I have seen a lot of recently (popup with a link to software). I would imagine if ISPs started doing this, it would be easier for the bad guys to spoof users into installing software "to clean their infeced PC" that was "recommended" by their own ISP.

I'd think the solution could be more like what they do when they are messing with DNS - identify customers with issues, redirect their DNS queries to a box that puts up a page that describes what is going on, why they are seeing that page instead of google or whatever, and a number to call at the ISP for assistance.

Trust me, I'd most definitely sue, and if I have a competent lawyer that can prove actual damages, I will win and hit them for all they are worth.
--
Before commenting on the Bible, please read it first [biblegateway.com]

Wow, a little quick to sue, aren't we?

1 Corinthians 6:7 The very fact that you have lawsuits among you means you have been completely defeated already. Why not rather be wronged? Why not rather be cheated?

I'm undoing a bunch of moderation just to point out that you're an idiot. I hate to be so blunt, but it's the truth. If you want uninterrupted, business class service then pay for it and get an SLA in writing that explicitly spells out the obligations of both parties. In fact if you're on Comcast and you go ahead and just cross your fingers and hope for the best, I think a decent lawyer could sue you for negligence if Comcast's proactive measures impact your business. You are now aware that they might be doing this. If you don't take steps to mitigate it, you're the one who is at fault. As a business owner, you need to take steps to ensure that you can deliver what you promise to your clients. Trying to blame Comcast for a technical glitch strikes me as the digital equivalent of "sorry, the dog ate my homework".

It seems like a good thing, so long as there's some way to tell Comcast, "No, my PC really isn't infected, I just run a mailing list," or something. I'm not sure opting out would be the right solution, though, because if someone is participating in a botnet, they should be subject to warnings (and eventually being disconnected).

I disagree. Using pop-ups as the notification method will likely trigger a new round of malware attacks that look like official Comcast notifications, complete with helpful links to download scanner and removal tools.

I disagree. Using pop-ups as the notification method will likely trigger a new round of malware attacks that look like official Comcast notifications, complete with helpful links to download scanner and removal tools.

When AT&T ran things during the ATTBI days they would routinely shutdown connections for subscribers who had known issues (trojans, etc). It would set their cable modem config file to some dummy one which would only get them to AT&T internal network pages and they'd have to call in to get working again--if they fixed the problem.

I don't see why that type of thing can't be restarted. Maybe there are just so many infected machines (and based on my webserver logs from Comcast's IP ranges, I'd guess this is true) that their phone staff just wouldn't be able to handle the volume.

Two words:
False Positives.
Ok, so I can't stick to two words... When a business is legally using their internet connection (a contractor uploading a very large set of files, including videos, etc., to update a client's live website, for example), and Comcast's actions cause that company to lose business or money due to breach of contract (deadlines are missed, live site goes down due to having only partially updated their files due to Comcast cutting the connection, etc.), there will be lawsuits, and Comcast will likely lose.

so block only porn sites. then they can do all the useful stuff they normally do, but you can bet your ass they'll be calling in pronto. (the conversation will then go as follows: "some sites aren't working!" "for example?" "uh.. I don't recall specifically.")

See my previous response to your other post. If you are a contractor who is promising to get things done, it is on you to ensure that you are able to get them done. That means either get an SLA with an ISP who won't cut you off and will promise in writing that they won't cut you off, or get a firewall that will fail over to a secondary connection in case you do run into problems with your primary ISP. If you want to really cover your ass, do both because as we all know, shit happens. The best SLA in the

I agreed with you at the beginning. But, on a second thought, pop-ups may also be a good way to catch people that, in fact, click on them.I mean, if people click on popups telling you they have a virus (and actually get one), why wouldn't they click on Comcast's window anyways. People that don't click on popups or have them blocked, will simply keep ignoring them. It could be annoying though, but may work.

It's really too bad that a cable company doesn't have any other means of communicating with their customers other than the internet. If only some how they could find out where their customers live, which I admit does sound like a startling infringement on their customers' right to privacy, they could convey such a warning with out worrying about web etiquette or spam filters.

-Rick

PS: In case your browser doesn't support them, there are sarcasm tags on the proceeding paragraph.

It's really too bad that a cable company doesn't have any other means of communicating with their customers other than the internet.

Hehe, you're watching TV with the family, and at the next commercial break you see a guy in an easy chair, reading the newspaper. He looks up at the camera and says "Hi there Rick! I'm Jim, from Comcast. Enjoying the show? Hey I'm afraid I've got a bit of bad news - it looks like your computer is infected with BugBot32/A."

[comcast senses new p2p activity coming from a home IP]Comcast Pop: Dear User, you recently installed a networked application. This application is spyware and is probably stealing your credit card information as we speak. For your safety, remove the software and any corrupted media downloaded by it.

You forgot one of my favorites...use it as an excuse to try to force you to buy some rebranded crappy AV 'solution" from them. That is what I had happen a few years back when I was stuck on HughesNet (ZOMG it sucked!) and decided to try the new WISP that had just set up. In the month and a half I had it I must have been 'disconnected because of virus' a good 25+ times. Which at first was almost funny as all I had at the time was a Linux laptop that was locked down tight.

For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system

... or it could mean someone decided to seed every ISO known to man at the same time.

I know that's probably not something Comcast is interested in supporting, but it's not against the ToS, so I really hope they aren't going to automate any disconnections (even temporary) based on this.

Depends how smart their profiles are. Many worms are distinctly different from bittorrent and any normal use in their scanning of address ranges and attempts to log in or go to known control sites or download known malware packages. I work at a large university and we use netflow info all the time to pinpoint infected machines on campus with a very high accuracy.

as someone says above, isn't notifying of possible infections a good thing? I mean enterprise supposedly has better ways to detect it than a normal consumer, especially since comcast in the ISP business?

Additionally, it's something that not only is good for consumers but good for comcast, assuming they don't use it as false positives to cut off bittorrent users (which I find unlikely to happen anyway).

"The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said."

So wait, instead of a personal phone call (which they apparently had been doing before anyway), now it'll be a popup just like the 50 other ones the user sees because he or she's infected with malware to begin with?

Pardon me if I assume that everything Comcast does is anti-consumer unless proven otherwise. Their record certainly reinforces this skepticism. Sounds to me like they are trying yet again to scare people who torrent or use P2P oftware. Of course since they "can't" throttle, they are coming up with new ways to encourage their paying customers to use less of their "unlimited" bandwidth. Thanks for loking out for us Comcast.

A co-worker of mine recently had his service terminated because he had exceeded 1TB of downloading in a month. I'm not sure if this is a regional thing, but that seems like a really high cap. Ultimately, he called them and the solution was to upgrade to a business class connection. It ended up costing him an additional $20 (iirc) a month, but he now has a higher upstream and a static IP. He was cool with that as it seems this works out better for him anyway, but any sort of cap for an advertised unlimit

A co-worker of mine recently had his service terminated because he had exceeded 1TB of downloading in a month. I'm not sure if this is a regional thing, but that seems like a really high cap. Ultimately, he called them and the solution was to upgrade to a business class connection. It ended up costing him an additional $20 (iirc) a month, but he now has a higher upstream and a static IP. He was cool with that as it seems this works out better for him anyway, but any sort of cap for an advertised unlimited service is a bit ridiculous.

Not likely since they had announced (october 2008) that their monthly cap was 250 gigs a month. If it was recently then there was a serious problem where he was breaking their TOS for nearly a year.

Sure thing, users NEVER get popup warnings about being infected and promptly ignore them... Unless they are really from the virus itself and are asking for credit card information.

This is so true. I was asked to look at a Windows box the other day because of numerous pop-up alerts about attacks from the Internet(s). I never heard of the "security software" which gave these warnings, so I disconnected it from the Internet. Guess what, it was supposedly still being "attacked" on random ports by random IPs.

On three different occasions, I have had advertisements saying that they had detected viruses and spyware on my computer. They then offer to scan my hard disk for free. When I try to close the tab, or try to say no, they then go ahead and pretend to scan my hard drive. After about 60 seconds of supposedly scanning my 500 GB hard drive, they announce that they have found 2 viruses on drive C, and also spyware in my registry.Since Linux does not use alphabetical letters as name for hard drives or partition

But having to set a cookie on each machine I want to disable their fucking dns redirect doesn't give me much hope. Love the speed.. hate the company!

I think we're slowly but surely seeing the end of what was a really great thing. Open unfiltered internet. In a few years it will be an expanded version of tv with none to little user control about what we want to see. Soon it will be.. we noticed your IP has downloaded X amount of gigs in the last two days. It's impossible that you are doing anything legit and we are going to cancel or reduce your connection speeds for a month if you continue illegally downloading. PS. This may have been a virus and if so please take your pc to an **authorized vendor to clean it.

**Vendor may also scan for copyright infringements on your pc in which case it will be kept at evidence.

and I'm glad they did so. I was being lazy and neglected to install a virus scanner on one of the PCs hooked up here, and it got infected with conficker. Basically my ISP (XS4ALL, a Dutch ISP) detects this and blocks most of the traffic (getting mail still works), shows a warning page when you try to open a website, and some instructions on how to get through the blockade with a proxy, and how to clean up your PC. They'll only unblock you once you have gone through a number of steps to clean up your PC (running some trojan scanners etc.). This may seem harsh, but I think if every ISP did this there wouldn't be some many huge botnets out there and perhaps a lot less SPAM as well.

This seems harmless enough to me if Comcast provides an opt-out service (like they do for their DNS-redirection). Someone who's savvy enough to opt-out of this is probably not as likely to get malware-infected, and the rest of the population probably doesn't care very much about the service either way.
As for the monitoring aspect, I doubt that Comcast is actually examining customers' traffic any more as a result of this -- they're probably just using their existing heaps of data to implement this.

I know TFA shows it on Comcast's page.. but still this is Comcast we're talking about. Are they going to just inject a pop-up while I'm randomly surfing?
Also, prepare for brand-new phishing tactics in 3, 2, 1..
Also, joining the chorus on this being tied to anti-P2P intentions.

this proves and solves nothing, its a frogboil tactic they use to get customers familiar with their 'responsibility' on their network. soon it becomes "we kick you off if we find malware." Internet providers are already shovelling this bullshit with port scanning and automated warnings regarding account termination. Treating customers like dirt, redefining what "demand" is in terms of the business model, and shaping the services you supply sure is alot easier than actually scaling infrastructure to meet real-life demand.

Treating customers like dirt, redefining what "demand" is in terms of the business model, and shaping the services you supply sure is a lot easier than actually scaling infrastructure to meet real-life demand.

The business model is to keep the mass market consumer product affordable and drive the geek who wants "unlimited" broadband into paying the going rate for business or professional grade service.

Comcast story is that "we are testing a new "Service Notice" customer alert that lets people know if we have reason to believe their home computer has been infected with a bot. The Service Notice is sent to appear in their Web browser with a direct link to our Anti-Virus Center where they can diagnose the problem and take steps to fix it"

This sounds like they are going to inject the supposed "Service Notice" into tcp-streams on port 80 if you are using software Comcast never heard of such as GNU/Linux. T

Please be to aware that your computer has been infected by virus. Please click here and verify your payment information so we can authorize removal of your viruses. If you do not your account blocked!!!!

Comcast Gold PCGuard+ Express Pro has detected a significant overnight spike in your network usage that suggests your PC may be infected with a virus. This process has been identified as utorrent.exe. It is recommended that you delete all files related to this program immediately to keep your personal information secure.

I don't predict a good outcome from this. Comcast will be flooded with incoming tech support calls from customers, half panicked about a virus they don't have and the other half angrily denying a virus they do have. And Comcast will discover that the cost of all those calls far outweighs any benefits they receive from the new system.

one time shut off my DSL account. I was downloading a Red Hat Linux ISO file via BitTorrent. I called them up and they claimed they saw virus like activity on my connection and then shut off my Internet access to prevent my computer from infecting others. I told them I would remove the virus and they said they would restore access. I had to set my BitTorrent program to use a lower setting for bandwidth to avoid tripping off their false positive virus detection. I switched to a different DSL ISP after that.

I had a tech come by to fix a line issue. When his fix didn't work, he needed a computer to debug with. I let him use an extra laptop I had lying around. The jerk put some kind of Comcast toolbar on IE. I don't remember the details, but removing it was not trivial. Not insane, maybe, but definitely designed to be annoying for the average user to remove. I'm not sure if the tech was pressured to do that or if it was just something that the page he was told to access from users' machines did automatically. I just re-imaged the thing, but still. It left a bad taste in my mouth.

Ok.. so its Comcast and we can all assume they will handle it poorly, but I worked at a small local ISP and was responsible for implementing just such a system on our network. The system would notify our NOC engineers about suspected infections, they would investigate more fully, and if the traffic was really suspect, we would log a ticket with customer support who would then call the customer. If we were unable to contact the customer for 48 hours and they didn't call us back we would disable their service.

Now, it was a little different as we are small and local, and we would send a tech out to their house to help clean the virus off their machine. When customer service called that was part of the call.. It went something like this: "We have detected suspicious traffic coming from your connection. To protect our network and your neighbors who also use our service, if the traffic does not stop within 48 hours we will disconnect your service. If you need any information about the traffic in question we can have an engineer contact you. Also, if you need help installing, updating, or using virus and or spyware removal software, we will be happy to send a tech support engineer to your house to help you remedy this situation."

We didn't charge for that tech support house call, it was just part of providing excellent service. In short, if it were to be handled appropriately, I don't see any problem with this sort of system. That being said, I feel comcast will probably really botch this, just as any large telecom company would.

Our system never detected a false positive on for example bittorrent traffic. We did have some on the IRC ports, but less than 5% (not that many people actually use IRC anymore, on a residential ISP network, probably 95%+ of IRC traffic is botnet control). We never turned off someone's connection who was validly using IRC. The customer service tech would ask "do you use IRC?" almost everyone would say "uh.. what is that?" The few people who use it would say "Yes I do" and we would say "Oh ok, that explains it" and that would be that.

We only ever turned off 1 person's connection, they had left their machine on and left on vacation and it was on a botnet. We disabled their connection as we didn't get a response from them, when they got back they called in, we sent out a tech and cleaned up their machine and that was that.

...that they called and told me that I had a zombie PC. I run updates, antivirus software and am very careful about where I go on the web, and what I download. Despite all my precautions, though, my PC got infected via an infected CD from my office (autorun is now turned off, btw).
I got a call from Comcast saying that they'd noticed some odd traffic. The tech guy said it looked like my PC had been infected although it didn't seem to be actively sending/receiving any unusual data. After a quick re-scan with my antivirus software, it was gone, and all was right with the world (well, my tiny corner of it, anyway).
I was used to Comcast sucking hardcore before this happened. Now my attitude is a little better toward them -- the Comcast tech guy knew his stuff, and was very helpful.

How would you notify customers that their machine is spewing spam or part of a botnet? Would you continue with the phone calls? Surely paying people to call customers about a virus can't be cheap, and doesn't scale. What is your ISP doing about this?

Even if what comcast is doing isn't the best solution, it's gotta be better than doing nothing, or taking the draconian measures of turning off service until you call in and they tell you, "Sir/Ma'am we turned off your service because your home computer is sending out spam. Once you've fixed it, we'll turn your service back on." I work at a "large database company" and in our labs if a lab machine is detected to be infected, the lab admins will shut of the ethernet drop that server connects to until you fix it.

Don't allow outgoing connections to a SMTP server other than the one the ISP runs, and use SMTPAuth or similar would go a long way to stopping this. Heck, most of the ISPs in the area I live already do part 1...

All that it takes is for the ISP to block traffic to any port 25 destination BY DEFAULT, and remove that block for any customer that asks for it to be removed. At the same time, the ISP should also provide assistance to customers that need to do things like send email through their office/work address, so that most of those customer would not need to ask for port 25 to be unblocked. Then, most of those that do ask for port 25 to be fully open would either be running an OS that doesn't get so infected like that, or would know how to properly secure their OS from viruses.

The idea of quarantine networks have been around for a few years in the enterprise market segment. Any hardware that hasn't been pre-authorized is scanned for compliance and if out of compliance, it is locked into a network DMZ where it can only access servers that assist in bringing it into compliance with network security policies (ie, servers that install anti-virus software, etc). Once it has passed the compliance tests, it gets access to the rest of the network.

Now it would be great if Comcast could pre-screen customers' computers for compliance, but lets face it, that won't happen. They are in the situation where they already have a bunch of compromised computers and they need to deal with them. So they quarantine the compromised computers and hijack their DNS settings so that when they browse the web, they get pointed toward a webpage that has basic cleaning instructions. Since we're talking about Windows boxes they would be forced to download the Microsoft Malicious Software Cleaning tool (or whatever the monthly tool that cleans all of the common infections is called these days). They could be given links to free anti-virus software pages like Microsoft Security Essentials, AVast, etc. They could be given links to alternate browsers like Firefox.

Once the customers run all of those tools, they could be given the number to phone support. Delaying the option to call support could mitigate the volume of support calls.

All things considered, Comcast is going out on a limb with this one. They risk losing customers who might find it easier to just go with another ISP. They are putting themselves at a competitive disadvantage if other ISPs don't follow their lead. I think we can all agree that more ISPs should be doing what they can to address the problem of malware infected PCs. I also think we're all mature enough to recognize that addressing the problem isn't simple, and is in a lot of cases, beyond the ability of the average consumer. The last couple malware infected boxes I've had to deal with I ended up formatting and re-installing the OS. Even booting to LiveCDs and scanning the drives from a clean environment wouldn't get rid of everything.

Not seeing a relationship between your remarks and the news item in question, but I feel compelled to ask the questions: If your debt is in US $, aren't you also earning US $ to pay this debt off? How then are you ahead when the US $ is weak?

His mom gives him his allowance in Euros. Although, to be fair, it could just as easily be in Indonesian Rupiah. That's right, even money from a third world country like Indonesia (don't take this as bashing Indonesia, I have relatives from there) is winning against t